Transcription

1 Data Sheet Cisco IOS Public-Key Infrastructure: Deployment Benefits and Features Introduction to Public Key Infrastructure Public Key Infrastructure (PKI) offers a scalable method of securing networks, reducing management overhead, and simplifying the deployment of network infrastructures by deploying Cisco IOS Security protocols, including Cisco IOS IPsec, Secure Shell (SSH), and Secure Socket Layer (SSL). Cisco IOS Software can also use PKI for authorization via access lists and authentication resources. Additional new features build the value-added proposition of Cisco IOS Software to simplify the provisioning and management of Cisco IOS security technologies. Any network, from small home office routers to the core systems of the world s largest service provider networks, can benefit the enhanced security in Cisco IOS Software. PKI is a system that manages encryption keys and identity information for the human and mechanical components of a network, which participate in secured communications. For a person or a piece of equipment to enroll in a PKI, the software on a user s computer generates a pair of encryption keys that will be used in secured communications: a public and a private key. Alternatively, this can be generated by a component of the operating system or functional software on a network device. The private key is never distributed or revealed; conversely, the public key is freely distributed to any party that negotiates a secure communication. During the enrollment process, the user s public key is sent in the certificate request to the certification authority, which is responsible for the portion of the organization to which that entity belongs. The user sends his public key to the registration component of the Certification Authorities (CA). Subsequently, the administrator approves the request and the CA generates the user s certificate. After the user receives a certificate and installs it on the computer, they can participate in the secured network. All contents are Copyright All rights reserved. Important Notices and Privacy Statement. Page 1 of 5

2 Figure 1 Public Key Infrastructure Enrollment Step 1 Step 2 Step 3 Generate Keys Step 4 Step 5 CA s Keys PRIV PUB PRIV PUB Request Sign End Host s User s Keys End Host Authority PKI is used most frequently for encrypted communications and IPsec tunnel negotiation, which both use the identity and security features of the certificate. The identity components determine the identity of the user, their level of access to the particular type of communication under negotiation, and the encryption information that protects the communication from other parties who are not allowed access. Communicating parties will exchange certificates, and inspect the information presented by the other. The certificates are checked to see if they are within their validity period, and if the certificate was generated by a trusted PKI. If all the identity information is appropriate, the public key is extracted from the certificate and used to establish an encrypted session. The Case for PKI There are multiple methods for compromising the security of a network: man-in-the-middle attack, sniffing, tampering, and denial-of-service. Administrators must deploy some combination of encryption and authentication in order to ensure that hackers do not compromise the communications of a secured network. In order to fully leverage most encryption and authentication technologies, key information must be distributed between the components that will manage network security. Passwords, known as shared secrets, are the simplest way to distribute keys. This requires the configuration of all secured network devices, so that any two devices negotiating a session will have been pre-set with each other s passwords. Shared secrets should be unique, and should be changed periodically in order to ensure continued security. All of these requirements add up to a fairly substantial task to provision and manage shared secrets for encryption. The combination of these requirements is a fairly substantial amount of work, in terms of the provisioning and managing of shared secrets for encryption. While RSA encryption keys increase encryption security, the network and security operations team still maintain a great deal of responsibility. Administrators must ensure that all devices in the network can communicate, and must manually intervene to ensure that security is maintained if the network is compromised or if it is locked out of a device. All contents are Copyright All rights reserved. Important Notices and Privacy Statement. Page 2 of 5

3 PKI, consisting of one or more CA Server and digital certificates, automates several of these tasks. The CA issues a digital certificate (one time use key) to a device in the network that can authenticate itself to the CA server. Therefore, the process of generating and distributing keys is automated. s are exchanged any time a new session is negotiated, so static pre-shared keys are not configured or stored, enhancing security and reducing administration. Cisco IOS Software supports interoperability with any X.509 v3 CA to enroll and use digital certificates for traffic authentication and encryption when secure communication is required. By enrolling a Cisco IOS Software device with a CA, the responsibility of managing the security key information is transferred to the network, reducing reliance on people for network security. Cisco IOS Simplifies Security Infrastructure Deployment and Management Provisioning and managing a secure network infrastructure becomes much simpler with the Cisco IOS Software PKI Enrollment features. Provisioning When deploying a secure network infrastructure, Cisco IOS Software PKI interoperability features reduce the network s engineer s workload by eliminating the need to track cumbersome shared secret lists. The CA interoperability features enables configuration of enrollment so that the router takes care of its enrollment status automatically; in a high-security environment, routers may be enrolled offline with a certificate that is hand-carried or sent via other out-of-band options. Management Auto Enrollment Cisco IOS Software offers features that simplify network management. With the Auto-Enroll Feature, network devices may be configured to periodically contact the CA and request a new certificate. This reduces the likelihood of network compromise through identity theft. Auto Enrollment may be configured to generate new encryption keys, or continue to use existing keys. Cisco IOS Public-Key Infrastructure Features to Simplify Deployment and Management Table 1 PKI Features and Benefits Feature Auto-Enroll Based Access Control (CBAC) N-Tier Chaining Manual and TFTP Enrollment Benefit Simplifies deployment and management by forcing the router to retrieve digital certificates Centralizes authorization information. A router can extract peer information from a certificate, present it to an AAA server (i.e., RADIUS), and receive an access list to define the access policy for that peer. Allows Cisco IOS Software network devices to operate in a complex PKI environment, where the structure of the PKI is defined by organizational or geographical boundaries. Increases the security of the enrollment process and granularity of control by enabling offline enrollment when the CAs must be closely monitored. All contents are Copyright All rights reserved. Important Notices and Privacy Statement. Page 3 of 5

4 Provisioning and Management Tools Cisco offers multiple options for PKI provisioning and management, in terms of embedded management and as external management consoles. PKI is currently supported in the VPN Device Manager on routers from the Cisco 1710 to the Cisco 7200 Series Routers. One exception is the Cisco 3700 Series Routers, which will support this in the future. IP Solution Center offers a scripting interface to provision PKI enrollment on network devices. Another option for managing PKI configuration with regards to IPsec settings may be found in CiscoWorks. The requirements for network device management will dictate the appropriate management platform. Platform Support Cisco IOS Software supports PKI functionality on router platforms, beginning with Cisco IOS Software Release Support for certificate enrollment and use with Cisco IOS IPsec is available through Cisco IOS Software Release 12.2T. After this release, Cisco enhanced the development cycle of Release 12.2T to increase PKI flexibility and increase the number of enrollment options. Table 2 Availability Routers Platforms Cisco 800 Series Cisco ubr900 Series Cisco 1600 Series Cisco 1700 Series Cisco 2600 Series Cisco 3600 Series Cisco 3700 Series Cisco AS5x00 Series Cisco 7100 Series Cisco 7200 Series Software Cisco IOS Software Release 12.2(15)T Cisco 6500 and 7600 Series will support Cisco PKI features as the new security service modules are developed. All contents are Copyright All rights reserved. Important Notices and Privacy Statement. Page 4 of 5

PRODUCT BULLETIN NO. 2438 CISCO CONTENT SWITCHING MODULE SOFTWARE VERSION 4.1(1) FOR THE CISCO CATALYST 6500 SERIES SWITCH AND CISCO 7600 SERIES ROUTER NEW FEATURES New features of the Cisco Content Switching

SERVICES OVERIVEW CISCO METRO ETHERNET SERVICES AND SUPPORT In the ever-changing communications market, incumbent service providers are looking for ways to grow revenue. One method is to deploy service

Q & A CISCO USED EQUIPMENT SERVICE POLICY FREQUENTLY ASKED QUESTIONS Q. What is the Cisco definition of used equipment? A. Cisco defines used equipment as previously owned equipment, now owned by a party

WHITE PAPER NetFlow Feature Acceleration Feature Description Rapid growth in Internet and intranet deployment and usage has created a major shift in both corporate and consumer computing paradigms. This

DATA SHEET CISCO IOS IP SERVICE LEVEL AGREEMENT Network services have changed dramatically in recent years, most notably due to the addition of voice, video, and other mission-critical delay- and performance-sensitive

It looks like your regular telephone. But it s a lot better. CISCO PHONE SYSTEM SOLUTIONS FOR SMALL AND MEDIUM BUSINESSES Between the increased productivity and administrative savings we ve experienced,

Empower Your Law Firm with Your Next Phone System BROCHURE CISCO SMB CLASS SOLUTIONS Law Firm Boosts Client Service and its Bottom Line Hahn & Hessen, LLP, a New York City law firm, is using a Cisco IP

WHITE PAPER THE BUSINESS CASE FOR MANAGED SERVICES IN SMALL AND MEDIUM-SIZED BUSINESSES IP-based managed services help businesses reap benefits by consistently reducing IT costs while increasing employee

Ordering Guide Cisco Aironet 1130AG Series The Cisco Aironet 1130AG Series IEEE 802.11a/b/g Access Point is a fixed-configuration, dual-band access point. Built in to the access point are two radios each

Cisco WebEx Social Compatibility Guide This document provides compatibility information for supported components and applications for Cisco WebEx Social 3.4.2, 3.4, 3.3, 3.1, and 3.0. Note: Due to different

WHITE PAPER Extending the Benefits of Storage Area Networks across IP Networks Introduction The phenomenal growth of Internet business and data-intensive e-business applications over the past few years

Data Sheet Cisco GLBP Load Balancing Options Last updated: December 2005 INTRODUCTION The purpose of this document is to discuss the options that Cisco Gateway Load Balancing Protocol (GLBP) one of Cisco

Data Sheet Cisco 2600XM DSL Router Bundles Overview In order to provide customers with easy-to-order solutions to meet their Digital Subscriber Line (DSL) networking needs, six new DSL router bundles are

DATA SHEET CISCO IP PHONE EXPANSION MODULE 7914 Call coverage is a critical capability for administrative assistants and others who must monitor, manage, and cover the various status of calls. This requires

DATA SHEET CISCO CATALYST 6500 SERIES CONTENT SWITCHING MODULE The Cisco Content Switching Module (CSM) is a line card for the Cisco Catalyst 6500 Series Switch that enhances the experience and response

DATA SHEET CISCO MEETINGPLACE MANAGED SERVICE The Cisco MeetingPlace rich-media conferencing solution can be deployed in a variety of ways. As an alternative to a customer managed solution, the Cisco MeetingPlace

WHITE PAPER PREVENTING WORM AND VIRUS OUTBREAKS WITH CISCO SELF-DEFENDING NETWORKS Worm and virus attacks are among the most common security breaches for organizations today*. A server, laptop, or personal

WHITE PAPER MANAGED METRO ETHERNET SERVICES: BUSINESS ADVANTAGES FOR THE ENTERPRISE Ethernet is rapidly becoming the primary communications technology for organizations of all sizes. Most businesses already

DATA SHEET CISCO MEETINGPLACE HOSTED SERVICE The Cisco MeetingPlace rich-media conferencing solution can be deployed in a variety of ways. As an alternative to a customer owned, customer managed solution,

Appendix 1: Full Country Rankings Below please find the complete rankings of all 75 markets considered in the analysis. Rankings are broken into overall rankings and subsector rankings. Overall Renewable

CUSTOMER SUCCESS STORY SOUTH BAY BMW ACHIEVES UNMATCHED AVAILABILITY AND SECURITY WITH ITS CISCO NETWORK EXECUTIVE SUMMARY CUSTOMER NAME South Bay BMW INDUSTRY Automotive BUSINESS CHALLENGE Help assure

Data Sheet Cisco 7604 Router Product Overview The Cisco 7604 Router is one of the smallest, redundant routers to offer n x 10 Gigabit Ethernet performance with services. This router is part of the Cisco

Overview IP Communications for the Small or Autonomous Branch Office Deploying data and voice capabilities in a single, integrated routing platform to increase productivity, decrease costs, and lower total

ORDERING GUIDE CISCO CALLMANAGER EXPRESS 3.2 To be used by authorized partners and direct accounts only. HOW TO ORDER CISCO CALLMANAGER EXPRESS 3.2 Cisco CallManager Express (CME) is a feature in Cisco

White Paper Enabling High Availability for Voice Services in Cable Networks When customers place a telephone call, they expect it to go through on the first attempt and they expect it to continue without

Last updated: 4 September 2015 Reporting practices for domestic and total debt securities While the BIS debt securities statistics are in principle harmonised with the recommendations in the Handbook on

Q & A Cisco Secure Policy Manager Version 3.1 Q. What are the new features of CSPM 3.1? A. New features of CSPM 3.1 include the following: Windows 2000 Server Windows 2000 Workstation Improved client/server

WHITE PAPER CISCO DISTRIBUTED DENIAL OF SERVICE PROTECTION SOLUTION: LEADING DDOS PROTECTION FOR SERVICE PROVIDERS AND THEIR CUSTOMERS Today, service providers and their customers are exposed to a growing